Protection of Personal Information Obtained Through Canadian Nurses Association (“CNA”) Websites
The CNA Privacy Officer is accountable for CNA’s policies and practices with respect to the management of personal information and is the individual who handles complaints and inquires.
Canadian Nurses Association
Ottawa, Ontario K2P 1E2
Tel. (613) 237-2133
Fax: (613) 237-3520
It is CNA’s policy to control the collection, use and disclosure of personal information in accordance with all requirements set out in the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5 (“PIPEDA”).
Note: PIPEDA does not apply to personal information that CNA collects, uses or discloses only for journalistic, artistic or literary purposes.
1.1 Deemed Consent to Privacy Statement Terms
CNA maintains written policies that conform to legislative requirements that oblige organizations to have written website privacy statements. Through posting visible links to this privacy statement on various pages of its websites, CNA has made a reasonable effort to ensure that you are advised of the purposes and terms under which your personal information will be used. Please read this privacy statement carefully so that you will understand how your personal information will be treated as you make use of the CNA websites.
By using the CNA websites, you agree to and are aware of the terms of this privacy statement.
1.2 Requirements of CNA
The following requirements shall be met by CNA, unless exempted by PIPEDA.
Collection of Personal Information
Unless otherwise authorized by PIPEDA:
- No personal information will be collected by CNA unless it relates directly to an operating program or activity of CNA.
- CNA shall, wherever possible, collect personal information that is intended for administrative use directly from the individual to whom it relates, except where the individual authorizes otherwise.
- CNA will inform any individual from whom it collects personal information the purpose for which the information is being collected.
Why CNA Collects Personal Information
CNA collects and/or compiles personal information for administrative purposes, including to:
- create internal reports;
- create administrative records;
- determine aggregate web usage levels;
- provide information on CNA benefits, programs, services, policies and other topics;
- give you the opportunity to provide feedback on the CNA website and its programs, services and policies;
- give you the opportunity to utilize online resources;
- communicate with you; and/or
- use for a specific purpose for which the information was obtained or compiled.
CNA shall take all reasonable steps to document the purposes for which personal information is collected on its websites.
Retention of Personal Information
CNA will retain personal information for such period of time after its use as may be prescribed by PIPEDAor its regulations so as to ensure that the individual to whom the information relates has a reasonable opportunity to obtain access to the use of the information.
Accuracy of Personal Information
CNA will take all reasonable steps to ensure that personal information is as accurate, up-to-date and complete as possible.
Disposition of Personal Information
CNA shall dispose of personal information under its control in accordance with PIPEDAor its regulations, directives or guidelines issued by the designated Minister relating to the disposal of such information, and in accordance with CNA’s corporate retention schedule.
Use and Disclosure of Personal Information
Personal information under the control of CNA will not be used or disclosed by CNA to a third party except for the purpose for which it was obtained or compiled, or for a use consistent with that purpose, without the consent of the individual to whom it relates, or unless otherwise authorized by PIPEDA.
In certain circumstances, personal information subject to PIPEDA may be used or disclosed without the knowledge or consent of the individual concerned. Such circumstances include, but are not limited to:
- the purpose for which the information was obtained or compiled by CNA, or for a use consistent with that purpose;
- complying with a subpoena, warrant or order issued by a court, person or body with authority to require that the information be produced; or complying with rules of the court relating to producing the information;
- an investigative body specified in the regulations for enforcing laws or carrying out a lawful investigation;
- officers or employees of CNA for internal audit purposes;
- the Library and Archives of Canada for archival purposes; and/or
- a situation where disclosure would clearly benefit the individual to whom the information relates.
Personal Information Banks
For administrative purposes, CNA shall include in personal information banks all personal information under its control that has been or is being used or is available for use.
Record of Disclosures
CNA shall (1) keep a record of any use of personal information contained in a personal information bank, (2) keep a record of any use or purpose for which the information is disclosed where it is not included in the statements of uses in the personal information index published by the designated Minister, and (3) attach the record to the personal information.
Access to Personal Information
Upon receipt of a written request for access to an individual’s own personal information, CNA shall provide a right of access, subject to PIPEDA,to:
- any personal information about the individual requestor contained in a personal information bank; and/or
- any other personal information under the control of CNA where the individual is able to provide enough information on the location of the information as to render it reasonably retrievable.
Individuals who are given access to their personal information for an administrative purpose may:
- request that the personal information be corrected where the individual believes there is an error or omission;
- where a correction was requested but not made, require that a note be attached to the information;
- request to be notified of any correction or notation made to the information;
- require that any person or body to whom that information has been disclosed be notified of the correction or notation within two years of the time the correction/notation is made;
- where the disclosure is to a government institution, request that the institution makes the correction or notation on any copy of the information under its control.
Refusal of Access to Personal Information
CNA may refuse to provide access to personal information, as provided by PIPEDA,where such information, among other circumstances:
- is subject to solicitor-client privilege;
- is part of, or relates to, an investigative record where disclosure could be injurious to the enforcement of a federal, provincial or territorial law or the conduct of investigation; and/or
- where disclosure threatens the safety of individuals.
All CNA employees who collect maintain and/or use personal information are responsible for insuring that the collection, use and disclosure of this information is carried out in accordance with this policy and relevant procedures.
The Privacy Officer is responsible for ensuring compliance with the law and for initiating development of procedures, guidelines and schedules to bring this policy into effect.
1.4 Internet Security
CNA websites use state-of-the-art advanced encryption, firewall and other technology to ensure the security of personal information. Although CNA will make every reasonable effort to protect personal information from loss, misuse or alteration by third parties, Internet users should be aware that there is always some risk involved in transmitting personal information over the Internet.
Privacy on the Internet
The following applies to all CNA websites:
- CNA respects the privacy of its Internet users and will protect that privacy by all means necessary as required by PIPEDA.
- CNA does not collect information that personally identifies individuals except when individuals provide such specific information on a voluntary basis. In all such cases, CNA will collect only such information as is voluntarily provided by the individual, and will undertake to keep such information strictly confidential. Individual information provided to CNA for the purpose of gaining access to any CNA website will not be sold or made available to a third party.
- CNA reserves the right, however, to perform statistical analyses of user behaviour and characteristics in order to measure interest in and use of the various sections of its sites so as to improve design and navigation and to gather marketing information. Only aggregated data from these analyses (not individual data) will be used for this purpose.
Users who do not want cookies placed on their computer by CNA may disable cookies by modifying the Preferences section of their web browser. Note that if cookies are disabled, some aspects of CNA websites may be unavailable. Users who enable cookies on their computer and want to see them can modify the cookie warning section by turning on a warning prompt.
CNA’s privacy standards are based on the Canadian Standards Association’s Model Code for the Protection of Personal Information (the “Model Code”). Part 4 of the Model Code is Schedule 1 of PIPEDA. It addresses: the ways in which organizations collect, use and disclose personal information; the rights of individuals to have access to their personal information; and the right to have it corrected, if necessary. The Model Code’s 10 principles are:
- Accountability: An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with these principles.
- Identifying purposes: The purposes for which personal information is collected will be identified by the organization at or before the time the information is collected.
- Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
- Limiting collection: The collection of personal information will be limited to that which is necessary for the purposes identified by the organization. Information will be collected by fair and lawful means.
- Limiting use, disclosure and retention: Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfilment of these purposes.
- Accuracy: Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
- Safeguards: Personal information will be protected by security safeguards appropriate to the sensitivity of the information.
- Openness: An organization will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
- Individual access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information. An individual may challenge the accuracy and completeness of the information and have it amended as appropriate.
- Challenging compliance: An individual may address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.
PIPEDA (Personal Information Protection and Electronic Documents Act) – An Act to extend the present laws of Canada that protect the privacy of individuals and that provide individuals with a right of access to personal information about themselves (Privacy Act, chap. P-21).
Personal information – Information about an identifiable individual that is recorded in any form. Specific exceptions exist for the purpose of requests through the Access to Information Act, R.S.C. 1985, c. A-1.
Canadian Standards Association. (2010). View privacy code [Model Code principles]. Available at http://www.csa.ca/cm/ca/en/privacy-code/publications/view-privacy-code
Office of the Privacy Commissioner of Canada. (2010). A guide for businesses and organizations: Your privacy responsibilities. Ottawa: Author. Available from http://www.priv.gc.ca/information/guide_e.pdf